Forum Discussion

rbmcnicholas's avatar
rbmcnicholas
Icon for Nimbostratus rankNimbostratus
Mar 29, 2019

Trouble with 302 Redirects and SAML

I have a SAML Resource set up on an APM webtop. The Virtual Server for the webtop is accessed at . This SAML Resource is an F5 IdP configuration that POSTs the SAML assertion to the ACS endpoint https://[publicIP]/wg/saml/SSO/index.html. I have an iRule attached the the Virtual Server that catches the /wg/saml/SSO/index.html and sends it to the pool of the SP. The problem is, when the SP gets the assertion, it sends a 302 redirect back to , and that triggers a new APM session.

 

I am wondering what I am doing wrong here. I don't have another public IP to assign to the SP so I am relying on the single Public IP and 1 Virtual Server. The other option I have tried is by setting up a Portal Access Resource, with a rewrite profile on the private IP of the SP. I am having issues with the SAML AuthN request and the SAML assertion in this setup as well, as they are looking for public IPs for both sides and I am having trouble getting the assertion to go back to the Portal Access Resource itself.

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM
security
  • rbmcnicholas's avatar
    rbmcnicholas
    Icon for Nimbostratus rankNimbostratus
    Mar 30, 2019

    when HTTP_REQUEST { if { [HTTP::path] eq "/wg/saml/SSO/index.html" } { pool SP } }

     

  • rbmcnicholas's avatar
    rbmcnicholas
    Icon for Nimbostratus rankNimbostratus
    Apr 01, 2019

    I am not currently. Is that something I should be doing? Again, I am having a hard time understanding how to direct traffic back to the Portal Access Resource itself. All of the documentation makes it seem like you just set up the IdP and attach it to the resource and you are good to go.

     

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Apr 01, 2019

    So the IdP is the BIG-IP and the webserver is the SP??

     

    Create a vip targeting vip configuration youtube and based on the uri path send traffic to the correct backend vip. On one backend vip attach the IdP APM policy, on the other assign the load balancing pool.

     

    You can use this article as an example for the configuration.

     

    Cheers,

     

    Kees

     

  • rbmcnicholas's avatar
    rbmcnicholas
    Icon for Nimbostratus rankNimbostratus
    Apr 03, 2019

    Kees,

     

    How would this work on the APM webtop? What type of resource would you assign and what would the URI there be?

     

    Ryan

     

  • Karim's avatar
    Karim
    Icon for Cirrostratus rankCirrostratus
    Apr 03, 2019

    Hi,

     

    Could you please explain what you want to achieve ? why are you using the iRule to redirect the traffic ?

     

    Many thanks,

     

    Karim